Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Search for:

Another (sigh) IE Zero-Day

Posted December 30, 2012 BeyondTrust Research Team

Unfortunately, the security industry was not going to escape 2012 without seeing yet another zero-day vulnerability in Microsoft’s Internet Explorer. It has been discovered that a targeted attack, leveraging a zero-day in IE, has been posed against the Council on Foreign Relations Portal. The technical origin of the flaw is as follows: the vulnerability occurs due to a CButton object being used after it is freed in mshtml!CMarkup::OnLoadStatusDone and has been assigned CVE-2012-4792. The known targeted exploit relies on both Java 1.6 and Adobe Flash (the dynamic duo of client side attack vectors, as of late) to achieve code execution on Windows 7 (as well as those still rocking Win XP, or browsing from their server OS’s) and only affects Internet Explorer 8 and lower. Also of note is that a Metasploit module for this vulnerability has been released.

Leave a Reply

One Response to “Another (sigh) IE Zero-Day”

[…] you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does […]

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.